roryqi opened a new issue, #10410: URL: https://github.com/apache/gravitino/issues/10410
### Describe the subtask Problem Description As part of the broader initiative to support group-based access control, Gravitino currently lacks a mechanism to automatically utilize the group membership information that is commonly embedded within standard OAuth 2.0 / OpenID Connect (OIDC) tokens. In many enterprise single sign-on (SSO) setups, identity providers (IdPs) such as Keycloak, Okta, Azure AD, etc., include user group or role claims (e.g., groups, roles, memberOf) in the ID Token or Access Token. Presently, this valuable information is not extracted by Gravitino's authentication/authorization layer, making the upcoming group-based authorization feature less effective for users who authenticate via OAuth/OIDC. Goal Enhance Gravitino's OAuth/OIDC authentication module to parse and extract group membership information from the verified token's claims. The extracted groups should be populated into the user's authorization context (e.g., the groupsfield in AccessControlContext), making them available for the group-based permission evaluation. ### Parent issue #10404 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
